In this article you will learn how to protect Secrets in your Kubernetes cluster
More https://cncf.io/blog/2021/04/22/revealing-the-secrets-of-kubernetes-secrets
More https://cncf.io/blog/2021/04/22/revealing-the-secrets-of-kubernetes-secrets
CNCF
Revealing the secrets of Kubernetes secrets
Guest post by Ben Hirschberg, VP R&D and Co-Founder of ARMO Can you keep a secret? Hope so, because in this blog, I reveal the secrets of Kubernetes secrets. First, I dive into the mechanics of…
Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent dedicated for containerized environments written in Golang and built on top of Merlin project
More: https://github.com/cyberark/kubesploit
More: https://github.com/cyberark/kubesploit
GitHub
GitHub - cyberark/kubesploit: Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written…
Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments. - cyberark/kubesploit
In this article you will learn what can be done to make a Kubernetes-based environment comply with the PCI DSS
Read more https://elastisys.com/pci-dss-compliance-in-kubernetes-based-platforms
Read more https://elastisys.com/pci-dss-compliance-in-kubernetes-based-platforms
elastisys
PCI DSS compliance in Kubernetes-based platforms - elastisys
Kubernetes alone does not help achieve PCI DSS compliance. We cover the 12 requirements of how fintech businesses can make it more compliant.
An interesting way to protect your Kubernetes config file on your computer against accidental or malicious change or reading
Read on https://gist.github.com/PatrLind/e651d3cbc3bf68e4bd9fcc9568cbd3fb
Read on https://gist.github.com/PatrLind/e651d3cbc3bf68e4bd9fcc9568cbd3fb
Gist
How to protect your ~/.kube/ configuration
How to protect your ~/.kube/ configuration. GitHub Gist: instantly share code, notes, and snippets.
Trivy is a Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI
Read more https://github.com/aquasecurity/trivy
Read more https://github.com/aquasecurity/trivy
Kube-secret-syncer is a Kubernetes operator developed using the Kubebuilder framework that keeps the values of Kubernetes Secrets synchronised to secrets in AWS Secrets Manager
Read on: https://github.com/contentful-labs/kube-secret-syncer
Read on: https://github.com/contentful-labs/kube-secret-syncer
GitHub
GitHub - contentful-labs/kube-secret-syncer: A Kubernetes operator to sync secrets from AWS Secrets Manager
A Kubernetes operator to sync secrets from AWS Secrets Manager - contentful-labs/kube-secret-syncer
Popeye is a utility that scans live Kubernetes cluster and reports potential issues with deployed resources and configurations. It sanitizes your cluster based on what's deployed and not what's sitting on disk.
→ https://github.com/derailed/popeye
→ https://github.com/derailed/popeye
The kube-secrets-init is a Kubernetes mutating admission webhook, that mutates any K8s Pod that is using specially prefixed environment variables, directly or from Kubernetes as Secret or ConfigMap
👉 https://github.com/doitintl/kube-secrets-init
👉 https://github.com/doitintl/kube-secrets-init
GitHub
GitHub - doitintl/kube-secrets-init: Kubernetes mutating webhook for `secrets-init` injection
Kubernetes mutating webhook for `secrets-init` injection - doitintl/kube-secrets-init
Preflight is a tool to automatically perform Kubernetes cluster configuration checks using Open Policy Agent (OPA).
More https://github.com/jetstack/preflight
More https://github.com/jetstack/preflight
GitHub
GitHub - jetstack/jetstack-secure: Open-source components of Jetstack Secure.
Open-source components of Jetstack Secure. Contribute to jetstack/jetstack-secure development by creating an account on GitHub.
awesome-kubernetes-security Awesome a curated list of awesome Kubernetes security resources.
👉 https://github.com/ksoclabs/awesome-kubernetes-security
👉 https://github.com/ksoclabs/awesome-kubernetes-security
GitHub
GitHub - ksoclabs/awesome-kubernetes-security: A curated list of awesome Kubernetes security resources
A curated list of awesome Kubernetes security resources - ksoclabs/awesome-kubernetes-security
kubectl-whisper-secret plugin allows users to create secrets with secure input prompt to prevent information leakages through terminal history, shoulder surfing attacks, etc.
👉 https://github.com/rewanth1997/kubectl-whisper-secret
👉 https://github.com/rewanth1997/kubectl-whisper-secret
GitHub
GitHub - rewanthtammana/kubectl-whisper-secret: Kubectl extension to create secrets by taking input from the console
Kubectl extension to create secrets by taking input from the console - GitHub - rewanthtammana/kubectl-whisper-secret: Kubectl extension to create secrets by taking input from the console
cosign is a tool that can sign container images. Cosign supports:
- Hardware and KMS signing
- Bring-your-own PKI
- Our free OIDC PKI (Fulcio)
→ https://github.com/sigstore/cosign
- Hardware and KMS signing
- Bring-your-own PKI
- Our free OIDC PKI (Fulcio)
→ https://github.com/sigstore/cosign
Kubestriker is a platform-agnostic tool designed to tackle Kuberenetes cluster security issues due to misconfigurations
→ https://github.com/vchinnipilli/kubestriker
→ https://github.com/vchinnipilli/kubestriker
This blog post is about an experiment to automate creation of Kubernetes Network Policies based on actual network traffic captured from applications running on a Kubernetes cluster
More: https://itnext.io/generating-kubernetes-network-policies-by-sniffing-network-traffic-6d5135fe77db
More: https://itnext.io/generating-kubernetes-network-policies-by-sniffing-network-traffic-6d5135fe77db
An alternative approach to Secrets management in Helm 3
Read on: https://itnext.io/helm-3-secrets-management-4f23041f05c3?source=friends_link
Read on: https://itnext.io/helm-3-secrets-management-4f23041f05c3?source=friends_link
Medium
Helm 3 — Secrets management, an alternative approach
There are many ways of managing secrets in Kubernetes, some ways are simpler than others but when researching this topic for my project at…
Learn how to set up K0s in air-gapped environment
More: https://itnext.io/k0s-cluster-without-internet-access-ac0dda08aa63?source=friends_link
More: https://itnext.io/k0s-cluster-without-internet-access-ac0dda08aa63?source=friends_link
Medium
K0s Cluster Without Internet Access
Let’s see how k0s makes the Air-Gap installation an easy process
KubeEye is an open-source diagnostic tool for identifying various Kubernetes cluster issues automatically, such as misconfigurations, unhealthy components and node failures
Read more https://github.com/kubesphere/kubeeye
Read more https://github.com/kubesphere/kubeeye
The worst so-called “best practice” for Docker
Read on: https://pythonspeed.com/articles/security-updates-in-docker
Read on: https://pythonspeed.com/articles/security-updates-in-docker
Python⇒Speed
The worst so-called “best practice” for Docker
Many people (although fewer than in the past) will tell you not to install security updates in your Docker image. This is terrible advice.
A detailed guide to help you to ensure that only signed images can get deployed on the cluster (with OPA and Notary)
Read on https://siegert-maximilian.medium.com/ensure-content-trust-on-kubernetes-using-notary-and-open-policy-agent-485ab3a9423c
Read on https://siegert-maximilian.medium.com/ensure-content-trust-on-kubernetes-using-notary-and-open-policy-agent-485ab3a9423c
10 Kubernetes Security Context settings you should understand
Read more https://snyk.io/blog/10-kubernetes-security-context-settings-you-should-understand
Read more https://snyk.io/blog/10-kubernetes-security-context-settings-you-should-understand
The CVE-2021-20291 medium-level vulnerability has been found in containers/storage Go library, leading to Denial of Service (DoS) when vulnerable container engines pull an injected image from a registry.
→ https://sysdig.com/blog/cve-2021-20291-cri-o-podman
→ https://sysdig.com/blog/cve-2021-20291-cri-o-podman
Sysdig
Mitigating CVE-2021-20291: DoS affecting CRI-O and Podman
Learn how CVE-2021-20291 in containers / storage Go library, can lead to Denial of Service (DoS) in vulnerable container engines.